PACKET RAT: Hidden software on Sony CDs could have you singing a sorrowful tune

By R. Fink

Nov 18, 2005

The Rat

Michael J. Bechetti

As if it weren't enough that hackers and other malcontents try every day to install sneaky software on systems, the Rat and other network managers have recently discovered a new Axis of Evil to concern themselves with.

This nefarious organization tricks computer users into installing 'rootkits''software that hides itself to prevent it from being removed and gives itself an unprecedented grip over the user's activities.

Who is this new source of nastiness? The Mob? Al-Qaida?

'Nope, it's Sony,' the Rat informed his boss recently after an agencywide security audit. 'You listen to a Sony BMG CD on your computer, and it downloads a rootkit onto your system to enforce digital rights management.'

Sony's 'Enhanced' CDs carry the malware-disguised-as-rights-management-tool, called XCP, to prevent people from making too many copies of the disks. But to work its charms, the software hijacks the CD-ROM drivers in Windows. So, much to the dismay of people who find the software with a malware scanner, the CD drive ceases to function if the software is removed.

This, of course, has created a little bit of extra work for the Rat and his help desk crew, since he had ordered his troops to remove any malware discovered during a system audit. As a result, he had to restore a host of desktops and notebooks from disk images to get them working again. The whiskered one was not amused.

Of course, the cyberrodent has been looking for an excuse to ban users from playing music on his, er, their computers ever since WinAmp was released. 'They're called 'workstations' for a reason, right? If the unwashed masses want to listen to music at work, they're perfectly welcome to bring it in on some media that doesn't pose a security risk.'

While the software itself does no real harm, the Rat and his friends in the security field are concerned that some enterprising young virus writer might take advantage of the software, developed by the U.K. software firm First 4 Internet.

And it turns out, according to security bloggers, there's a similar bit of nastiness on some Sony CDs that affects Mac OS X.

While the Windows rootkit has gotten most of the attention, another piece of software from SunnComm Technologies Inc., called MediaMax DRM, installs kernel extensions onto OS X.

There's also a version of MediaMax that runs on Windows. In fact, SunnComm filed a lawsuit against a Princeton computer science student two years ago over his evaluation of a previous release of MediaMax on Windows, claiming he had violated the Digital Millenium Copyright Act by revealing the driver name used by the software to lock down hard drives. This after he revealed that the software could be defeated by holding down the shift key while inserting a CD.

But the other odious aspect of SunnComm's software is that it has to be connected to the Internet to install because it downloads cryptographic keys from a remote server. That kind of behavior automatically makes MediaMax an unwelcome guest on the Rat's network.

The stink over the rootkit was sufficient to make Sony pull First 4's software from future releases'and for Microsoft Corp. to queue up a security patch to remove it. But that doesn't address the thousands of malware-toting music CDs already in the hands of the wirebiter's computing customers.

'There's only one solution,' the Rat told his boss. 'We'll just have to institute strip searches as part of the log-on process.'

The Packet Rat once managed networks but now spends his time ferreting out bad packets in cyberspace. E-mail him at .